In force since July 1, 2024, the Oregon Consumer Privacy Act (OCPA) is one of the broadest state privacy laws in what it reaches. Beyond the usual rights to access, correct, delete, and opt out, Oregon lets residents request the specific companies that received their data, extends to the information generated by a person's car, and bans the sale of precise location data outright.

The Montana Consumer Data Privacy Act (MTCDPA) took effect on October 1, 2024, and its lower coverage thresholds mean it protects Montanans' data across a wider range of companies than most state laws reach. It lets Montanans access, correct, delete, and opt out of the sale and targeted-advertising uses of their data, and a 2025 amendment added strong new protections for the data of minors.

Colorado was among the first states to let people opt out of online tracking with a single browser signal rather than site by site, a requirement built into the Colorado Privacy Act (CPA) that has been in effect since July 1, 2023. The law gives Coloradans the same core rights to access, correct, delete, and opt out, and it empowers the Attorney General to write detailed rules carrying it out.

Passed in 2023, the Indiana Consumer Data Protection Act (INCDPA) carried one of the longest lead times of any state privacy law and did not take effect until January 1, 2026. Modeled on Virginia's law, it gives Indiana residents the right to access, correct, delete, and obtain a copy of their personal data and to opt out of targeted advertising, the sale of their data, and profiling.